+static uint16_t inet_checksum(void *data, int len, uint16_t prevsum) {
+ uint16_t *p = data;
+ uint32_t checksum = prevsum ^ 0xFFFF;
+
+ while(len >= 2) {
+ checksum += *p++;
+ len -= 2;
+ }
+
+ if(len)
+ checksum += *(uint8_t *)p;
+
+ while(checksum >> 16)
+ checksum = (checksum & 0xFFFF) + (checksum >> 16);
+
+ return ~checksum;
+}
+
+static bool ratelimit(int frequency) {
+ static time_t lasttime = 0;
+ static int count = 0;
+
+ if(lasttime == now.tv_sec) {
+ if(count >= frequency)
+ return true;
+ } else {
+ lasttime = now.tv_sec;
+ count = 0;
+ }
+
+ count++;
+ return false;
+}
+
+static bool checklength(node_t *source, vpn_packet_t *packet, length_t length) {
+ if(packet->len < length) {
+ logger(DEBUG_TRAFFIC, LOG_WARNING, "Got too short packet from %s (%s)", source->name, source->hostname);
+ return false;
+ } else
+ return true;
+}
+
+static void clamp_mss(const node_t *source, const node_t *via, vpn_packet_t *packet) {
+ if(!source || !via || !(via->options & OPTION_CLAMP_MSS))
+ return;
+
+ uint16_t mtu = source->mtu;
+ if(via != myself && via->mtu < mtu)
+ mtu = via->mtu;
+
+ /* Find TCP header */
+ int start = ether_size;
+ uint16_t type = DATA(packet)[12] << 8 | DATA(packet)[13];
+
+ if(type == ETH_P_8021Q) {
+ start += 4;
+ type = DATA(packet)[16] << 8 | DATA(packet)[17];
+ }
+
+ if(type == ETH_P_IP && DATA(packet)[start + 9] == 6)
+ start += (DATA(packet)[start] & 0xf) * 4;
+ else if(type == ETH_P_IPV6 && DATA(packet)[start + 6] == 6)
+ start += 40;
+ else
+ return;
+
+ if(packet->len <= start + 20)
+ return;
+
+ /* Use data offset field to calculate length of options field */
+ int len = ((DATA(packet)[start + 12] >> 4) - 5) * 4;
+
+ if(packet->len < start + 20 + len)
+ return;
+
+ /* Search for MSS option header */
+ for(int i = 0; i < len;) {
+ if(DATA(packet)[start + 20 + i] == 0)
+ break;
+
+ if(DATA(packet)[start + 20 + i] == 1) {
+ i++;
+ continue;
+ }
+
+ if(i > len - 2 || i > len - DATA(packet)[start + 21 + i])
+ break;
+
+ if(DATA(packet)[start + 20 + i] != 2) {
+ if(DATA(packet)[start + 21 + i] < 2)
+ break;
+ i += DATA(packet)[start + 21 + i];
+ continue;
+ }
+
+ if(DATA(packet)[start + 21] != 4)
+ break;
+
+ /* Found it */
+ uint16_t oldmss = DATA(packet)[start + 22 + i] << 8 | DATA(packet)[start + 23 + i];
+ uint16_t newmss = mtu - start - 20;
+ uint16_t csum = DATA(packet)[start + 16] << 8 | DATA(packet)[start + 17];
+
+ if(oldmss <= newmss)
+ break;
+
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Clamping MSS of packet from %s to %s to %d", source->name, via->name, newmss);
+
+ /* Update the MSS value and the checksum */
+ DATA(packet)[start + 22 + i] = newmss >> 8;
+ DATA(packet)[start + 23 + i] = newmss & 0xff;
+ csum ^= 0xffff;
+ csum -= oldmss;
+ csum += newmss;
+ csum ^= 0xffff;
+ DATA(packet)[start + 16] = csum >> 8;
+ DATA(packet)[start + 17] = csum & 0xff;
+ break;
+ }
+}
+
+static void swap_mac_addresses(vpn_packet_t *packet) {
+ mac_t tmp;
+ memcpy(&tmp, &DATA(packet)[0], sizeof tmp);
+ memcpy(&DATA(packet)[0], &DATA(packet)[6], sizeof tmp);
+ memcpy(&DATA(packet)[6], &tmp, sizeof tmp);
+}
+
+static void age_subnets(void *data) {
+ bool left = false;
+
+ for splay_each(subnet_t, s, myself->subnet_tree) {
+ if(s->expires && s->expires < now.tv_sec) {
+ if(debug_level >= DEBUG_TRAFFIC) {
+ char netstr[MAXNETSTR];
+ if(net2str(netstr, sizeof netstr, s))
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Subnet %s expired", netstr);
+ }
+
+ for list_each(connection_t, c, connection_list)
+ if(c->edge)
+ send_del_subnet(c, s);
+
+ subnet_del(myself, s);
+ } else {
+ if(s->expires)
+ left = true;
+ }
+ }
+
+ if(left)
+ timeout_set(&age_subnets_timeout, &(struct timeval){10, rand() % 100000});
+}
+
+static void learn_mac(mac_t *address) {
+ subnet_t *subnet = lookup_subnet_mac(myself, address);
+
+ /* If we don't know this MAC address yet, store it */
+
+ if(!subnet) {
+ logger(DEBUG_TRAFFIC, LOG_INFO, "Learned new MAC address %x:%x:%x:%x:%x:%x",
+ address->x[0], address->x[1], address->x[2], address->x[3],
+ address->x[4], address->x[5]);
+
+ subnet = new_subnet();
+ subnet->type = SUBNET_MAC;
+ subnet->expires = now.tv_sec + macexpire;
+ subnet->net.mac.address = *address;
+ subnet->weight = 10;
+ subnet_add(myself, subnet);
+ subnet_update(myself, subnet, true);
+
+ /* And tell all other tinc daemons it's our MAC */
+
+ for list_each(connection_t, c, connection_list)
+ if(c->edge)
+ send_add_subnet(c, subnet);
+
+ timeout_add(&age_subnets_timeout, age_subnets, NULL, &(struct timeval){10, rand() % 100000});
+ } else {
+ if(subnet->expires)
+ subnet->expires = now.tv_sec + macexpire;
+ }
+}
+
+/* RFC 792 */
+
+static void route_ipv4_unreachable(node_t *source, vpn_packet_t *packet, length_t ether_size, uint8_t type, uint8_t code) {
+ struct ip ip = {0};
+ struct icmp icmp = {0};
+
+ struct in_addr ip_src;
+ struct in_addr ip_dst;
+ uint32_t oldlen;